With Google's customer data now a prime target for sophisticated cyber attacks, do we now need some peace of mind in the form of free anti-malware software and services from the company in order to protect us?
The fallout from Google's recent Chinese cyber-attacks which may cause them to cut their ties with the communist nation raises a number of questions as to what sort of data protection and security the company should provide to its huge customer base of GMail and Google Office applications.
I don't know about how everyone else is feeling, but as a GMail and Google Apps user I'm starting to get that creepy feeling that the front door of my house is wide open and the bad guys are waiting to walk in and grab all of my stuff while I'm away.
Back in early December of last year, I appealed to Google to provide its customers with an online-based backup service, which I tentatively called Google Backup. Last week, it appears that Google got the message, by now providing enhanced capabilities to Google Docs in which any form of data, up to 250MB per file, can be stored.
For regular consumers, additional storage above the free amount can be purchased for approximately 25 cents per gigabyte per year. While online cloud-based backup appears to be only part of the much more expensive Google Apps Premier Edition and thru partner services like Memeo and Syncplicity, the "Google Drive" that everyone has been clamoring for has for the most part surfaced.Now that Google Docs will be seen as a major online storage platform for consumers and corporations, that makes it a very high value target, and we can expect that the Chinese cyber-attacks are only the beginning of a trend towards an ever increasing environment in the cloud where hosted data will constantly be under the attack by interested parties.
Whether these attacks came from a group connected to the Chinese government or simply a rogue criminal organization is unimportant from the perspective of Google's customers. The bottom line is that if we're going to use these online storage services from Google, we want protection, and we want it now.
According to multiple sources, the Chinese GMail attacks used a Zero Day exploit in the Windows Internet Explorer browser as part of their toolset and techniques used to penetrate Google's security. Our own Windows maven, Ed Bott, suggests that it's time for IE6 to die in IT environments and for personal use. I agree with Ed but I'm going to take that a few steps further.
Recently Google turned HTTPS on by default for all connections to GMail and its apps sites. This is a good start, but it's not enough.
For starters, IE 6 should be blacklisted from being used as a web browser on any of the Google sites. It should be persona non grata, verboten. This policy should be adopted like, um, yesterday.
If Google detects incoming connections from IE6, the offending end-user should get an immediate message to the likes of "In order to provide our customers a secure and safe experience we no longer support the version of the web browser you are currently using. Please use one of the following web browsers instead, yadda yadda" and provide the relevant links to download Chrome, Firefox, IE 8, Safari and Opera.
Next, Google needs to ensure that its customers are practicing safe browsing and are securing their systems, because your security is only as good as your weakest link. For this, I suggest that Google start going on a shopping spree and buy up a whole bunch of PC and Internet security firms, particularly ones that develop multi-platform antivirus, antimalware and firewall solutions, and then offer that stack to all of its customers.
Companies like Kaspersky Lab and ESET might be good candidates for multi-platform antivirus solutions for Google's coffers, since their software runs on Windows, Linux, Mac and other Unixes, and would be easy to bake into Android and Chrome OS. There are a number of other firms and/or Open Source projects that would be good buys/plays which would form the other portions of the "Google Security" stack.
Every Google customer should have to go through a comprehensive multi-point inspection depending on the platform they are running to certify that their PC/Mac/Linux/Smartphone system is protected for using Google sites. This would include firewall port settings, ensuring that they have an antivirus with current definitions installed, and that the system is properly protected against spyware.
Obviously, in the case of Windows, free antivirus, antimalware/antispyware and firewall for all Google customers will be a necessity. Most corporate customers would be already covered in that most large corporations have standard antivirus, firewall and antimalware compliance policies set, and the Google multi-point audit utility would catch anything else that needed to be locked down.
The largest issue would be with small businesses and home users that don't properly update or secure their systems. For these customers, a Google Security Suite that includes everything they need to protect their systems and run safely on Google's sites -- provided for free -- would be a godsend.
Do Google Apps customers need a free Google Security stack? Talk Back and Let Me Know.